Module org.eclipse.jetty.ee10.servlet

Package org.eclipse.jetty.ee10.servlet.security

Class ConstraintSecurityHandler

java.lang.Object

org.eclipse.jetty.util.component.AbstractLifeCycle

org.eclipse.jetty.util.component.ContainerLifeCycle

org.eclipse.jetty.server.Handler.Abstract

org.eclipse.jetty.server.Handler.AbstractContainer

org.eclipse.jetty.server.Handler.Wrapper

org.eclipse.jetty.security.SecurityHandler

org.eclipse.jetty.ee10.servlet.security.ConstraintSecurityHandler

All Implemented Interfaces:

ConstraintAware, org.eclipse.jetty.security.Authenticator.Configuration, org.eclipse.jetty.server.Handler, org.eclipse.jetty.server.Handler.Container, org.eclipse.jetty.server.Handler.Singleton, org.eclipse.jetty.server.Request.Handler, org.eclipse.jetty.util.component.Container, org.eclipse.jetty.util.component.Destroyable, org.eclipse.jetty.util.component.Dumpable, org.eclipse.jetty.util.component.Dumpable.DumpableContainer, org.eclipse.jetty.util.component.LifeCycle, org.eclipse.jetty.util.thread.Invocable

public class ConstraintSecurityHandler
extends org.eclipse.jetty.security.SecurityHandler
implements ConstraintAware

ConstraintSecurityHandler

Handler to enforce SecurityConstraints. This implementation is servlet spec 3.1 compliant and pre-computes the constraint combinations for runtime efficiency.

Nested Class Summary

Nested classes/interfaces inherited from class org.eclipse.jetty.security.SecurityHandler

org.eclipse.jetty.security.SecurityHandler.NotChecked, org.eclipse.jetty.security.SecurityHandler.PathMapped

Nested classes/interfaces inherited from class org.eclipse.jetty.server.Handler.Abstract

org.eclipse.jetty.server.Handler.Abstract.NonBlocking

Nested classes/interfaces inherited from class org.eclipse.jetty.util.component.AbstractLifeCycle

org.eclipse.jetty.util.component.AbstractLifeCycle.AbstractLifeCycleListener, org.eclipse.jetty.util.component.AbstractLifeCycle.StopException

Nested classes/interfaces inherited from interface org.eclipse.jetty.security.Authenticator.Configuration

org.eclipse.jetty.security.Authenticator.Configuration.Wrapper

Nested classes/interfaces inherited from interface org.eclipse.jetty.util.component.Container

org.eclipse.jetty.util.component.Container.InheritedListener, org.eclipse.jetty.util.component.Container.Listener

Nested classes/interfaces inherited from interface org.eclipse.jetty.util.component.Dumpable

org.eclipse.jetty.util.component.Dumpable.DumpableContainer

Nested classes/interfaces inherited from interface org.eclipse.jetty.server.Handler

org.eclipse.jetty.server.Handler.Abstract, org.eclipse.jetty.server.Handler.AbstractContainer, org.eclipse.jetty.server.Handler.Collection, org.eclipse.jetty.server.Handler.Container, org.eclipse.jetty.server.Handler.Sequence, org.eclipse.jetty.server.Handler.Singleton, org.eclipse.jetty.server.Handler.Wrapper

Nested classes/interfaces inherited from interface org.eclipse.jetty.util.thread.Invocable

org.eclipse.jetty.util.thread.Invocable.Callable, org.eclipse.jetty.util.thread.Invocable.InvocationType, org.eclipse.jetty.util.thread.Invocable.ReadyTask, org.eclipse.jetty.util.thread.Invocable.Task

Nested classes/interfaces inherited from interface org.eclipse.jetty.util.component.LifeCycle

org.eclipse.jetty.util.component.LifeCycle.Listener

Nested classes/interfaces inherited from interface org.eclipse.jetty.server.Request.Handler

org.eclipse.jetty.server.Request.Handler.AbortException

Field Summary

Fields

Modifier and Type	Field	Description
static final String	ANY_KNOWN_ROLE
static final String	ANY_ROLE

Fields inherited from class org.eclipse.jetty.security.SecurityHandler

SESSION_AUTHENTICATED_ATTRIBUTE

Fields inherited from class org.eclipse.jetty.util.component.AbstractLifeCycle

FAILED, STARTED, STARTING, STOPPED, STOPPING

Fields inherited from interface org.eclipse.jetty.util.component.Dumpable

KEY

Fields inherited from interface org.eclipse.jetty.util.thread.Invocable

__nonBlocking, NOOP

Constructor Summary

Constructors

Constructor	Description
ConstraintSecurityHandler()

Method Summary

Modifier and Type	Method	Description
void	addConstraintMapping(ConstraintMapping mapping)	Add a Constraint Mapping.
void	addKnownRole(String role)	Add a Role definition.
boolean	checkPathsWithUncoveredHttpMethods()	Servlet spec 3.1 pg.
protected org.eclipse.jetty.security.Constraint	combineServletConstraints(org.eclipse.jetty.security.Constraint constraintA, org.eclipse.jetty.security.Constraint constraintB)	Combine constrains as per the servlet specification.
static org.eclipse.jetty.security.Constraint	createConstraint(String name, jakarta.servlet.HttpConstraintElement element)	Create a Constraint
static org.eclipse.jetty.security.Constraint	createConstraint(String name, String[] rolesAllowed, jakarta.servlet.annotation.ServletSecurity.EmptyRoleSemantic permitOrDeny, jakarta.servlet.annotation.ServletSecurity.TransportGuarantee transport)	Create Constraint
static List<ConstraintMapping>	createConstraintsWithMappingsForPath(String name, String pathSpec, jakarta.servlet.ServletSecurityElement securityElement)	Generate Constraints and ConstraintMappings for the given url pattern and ServletSecurityElement
protected void	doStart()
protected void	doStop()
void	dump(Appendable out, String indent)
protected org.eclipse.jetty.security.Constraint	getConstraint(String pathInContext, org.eclipse.jetty.server.Request request)
List<ConstraintMapping>	getConstraintMappings()
Set<String>	getKnownRoles()
protected Set<String>	getOmittedMethods(String omission)	Given a string of the form <method>.<method>.omission split out the individual method names.
Set<String>	getPathsWithUncoveredHttpMethods()	Servlet spec 3.1 pg.
boolean	isDenyUncoveredHttpMethods()
protected boolean	omissionsExist(Map<String,org.eclipse.jetty.security.Constraint> methodMappings)	Check if any http method omissions exist in the list of method to auth info mappings.
protected void	processConstraintMapping(ConstraintMapping mapping)	Create and combine the constraint with the existing processed constraints.
protected void	processConstraintMappingWithMethodOmissions(ConstraintMapping mapping, Map<String,org.eclipse.jetty.security.Constraint> mappings)	Constraints that name method omissions are dealt with differently.
static List<ConstraintMapping>	removeConstraintMappingsForPath(String pathSpec, List<ConstraintMapping> constraintMappings)	Take out of the constraint mappings those that match the given path.
void	setConstraintMappings(List<ConstraintMapping> constraintMappings)	Process the constraints following the combining rules in Servlet 3.0 EA spec section 13.7.1 Note that much of the logic is in the Constraint class.
void	setConstraintMappings(List<ConstraintMapping> constraintMappings, Set<String> roles)	Process the constraints following the combining rules in Servlet 3.0 EA spec section 13.7.1 Note that much of the logic is in the Constraint class.
void	setConstraintMappings(ConstraintMapping[] constraintMappings)	Process the constraints following the combining rules in Servlet 3.0 EA spec section 13.7.1 Note that much of the logic is in the Constraint class.
void	setDenyUncoveredHttpMethods(boolean deny)	See Servlet Spec 31, sec 13.8.4, pg 145 When true, requests with http methods not explicitly covered either by inclusion or omissions in constraints, will have access denied.
void	setRoles(Set<String> roles)	Set the known roles.

Methods inherited from class org.eclipse.jetty.security.SecurityHandler

findIdentityService, findLoginService, getAuthenticationType, getAuthenticator, getAuthenticatorFactory, getCurrentSecurityHandler, getIdentityService, getKnownAuthenticatorFactories, getLoginService, getParameter, getParameterNames, getRealmName, getSessionMaxInactiveIntervalOnAuthentication, handle, isAuthorized, isSessionRenewedOnAuthentication, redirectToSecure, setAuthenticationType, setAuthenticator, setAuthenticatorFactory, setIdentityService, setLoginService, setParameter, setRealmName, setSessionMaxInactiveIntervalOnAuthentication, setSessionRenewedOnAuthentication

Methods inherited from class org.eclipse.jetty.server.Handler.Wrapper

getHandler, getInvocationType, setHandler

Methods inherited from class org.eclipse.jetty.server.Handler.AbstractContainer

findContainerOf, getDescendant, getDescendants, isDynamic, setDynamic, setServer

Methods inherited from class org.eclipse.jetty.server.Handler.Abstract

destroy, getServer

Methods inherited from class org.eclipse.jetty.util.component.ContainerLifeCycle

addBean, addBean, addEventListener, addManaged, contains, dump, dump, dumpObjects, dumpStdErr, getBean, getBeans, getBeans, getContainedBeans, getContainedBeans, installBean, installBean, isAuto, isManaged, isUnmanaged, manage, removeBean, removeBeans, removeEventListener, setBeans, start, stop, unmanage, updateBean, updateBean, updateBeans, updateBeans

Methods inherited from class org.eclipse.jetty.util.component.AbstractLifeCycle

getEventListeners, getState, getState, isFailed, isRunning, isStarted, isStarting, isStopped, isStopping, setEventListeners, start, stop, toString

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait

Methods inherited from interface org.eclipse.jetty.util.component.Container

getCachedBeans, getEventListeners

Methods inherited from interface org.eclipse.jetty.util.component.Destroyable

destroy

Methods inherited from interface org.eclipse.jetty.util.component.Dumpable

dumpSelf

Methods inherited from interface org.eclipse.jetty.util.component.Dumpable.DumpableContainer

isDumpable

Methods inherited from interface org.eclipse.jetty.server.Handler

getServer, setServer

Methods inherited from interface org.eclipse.jetty.server.Handler.Container

getContainer, getDescendant, getDescendants, getDescendants

Methods inherited from interface org.eclipse.jetty.server.Handler.Singleton

getHandlers, getTail, insertHandler, setHandler

Methods inherited from interface org.eclipse.jetty.util.component.LifeCycle

addEventListener, isFailed, isRunning, isStarted, isStarting, isStopped, isStopping, removeEventListener, start, stop

Field Details

ANY_KNOWN_ROLE

public static final String ANY_KNOWN_ROLE

See Also:

• Constant Field Values

ANY_ROLE

public static final String ANY_ROLE

See Also:

• Constant Field Values

Constructor Details

ConstraintSecurityHandler

public ConstraintSecurityHandler()

Method Details

getConstraint

protected org.eclipse.jetty.security.Constraint getConstraint(String pathInContext,
 org.eclipse.jetty.server.Request request)

Specified by:

getConstraint in class org.eclipse.jetty.security.SecurityHandler

createConstraint

public static org.eclipse.jetty.security.Constraint createConstraint(String name,
 jakarta.servlet.HttpConstraintElement element)

Create a Constraint

Parameters:

name - the name

element - the http constraint element

Returns:

the created constraint

createConstraint

public static org.eclipse.jetty.security.Constraint createConstraint(String name,
 String[] rolesAllowed,
 jakarta.servlet.annotation.ServletSecurity.EmptyRoleSemantic permitOrDeny,
 jakarta.servlet.annotation.ServletSecurity.TransportGuarantee transport)

Create Constraint

Parameters:

name - the name

rolesAllowed - the list of allowed roles

permitOrDeny - the permission semantic

transport - the transport guarantee

Returns:

the created constraint

removeConstraintMappingsForPath

public static List<ConstraintMapping> removeConstraintMappingsForPath(String pathSpec,
 List<ConstraintMapping> constraintMappings)

Take out of the constraint mappings those that match the given path.

Parameters:

pathSpec - the path spec

constraintMappings - a new list minus the matching constraints

Returns:

the list of constraint mappings

createConstraintsWithMappingsForPath

public static List<ConstraintMapping> createConstraintsWithMappingsForPath(String name,
 String pathSpec,
 jakarta.servlet.ServletSecurityElement securityElement)

Generate Constraints and ConstraintMappings for the given url pattern and ServletSecurityElement

Parameters:

name - the name

pathSpec - the path spec

securityElement - the servlet security element

Returns:

the list of constraint mappings

getConstraintMappings

public List<ConstraintMapping> getConstraintMappings()

Specified by:

getConstraintMappings in interface ConstraintAware

getKnownRoles

public Set<String> getKnownRoles()

Specified by:

getKnownRoles in interface ConstraintAware

Overrides:

getKnownRoles in class org.eclipse.jetty.security.SecurityHandler

setConstraintMappings

public void setConstraintMappings(List<ConstraintMapping> constraintMappings)

Process the constraints following the combining rules in Servlet 3.0 EA spec section 13.7.1 Note that much of the logic is in the Constraint class.

Parameters:

constraintMappings - The constraintMappings to set, from which the set of known roles is determined.

setConstraintMappings

public void setConstraintMappings(ConstraintMapping[] constraintMappings)

Process the constraints following the combining rules in Servlet 3.0 EA spec section 13.7.1 Note that much of the logic is in the Constraint class.

Parameters:

constraintMappings - The constraintMappings to set as array, from which the set of known roles is determined. Needed to retain API compatibility for 7.x

setConstraintMappings

public void setConstraintMappings(List<ConstraintMapping> constraintMappings,
 Set<String> roles)

Process the constraints following the combining rules in Servlet 3.0 EA spec section 13.7.1 Note that much of the logic is in the Constraint class.

Specified by:

setConstraintMappings in interface ConstraintAware

Parameters:

constraintMappings - The constraintMappings to set.

roles - The known roles (or null to determine them from the mappings)

setRoles

public void setRoles(Set<String> roles)

Set the known roles. This may be overridden by a subsequent call to setConstraintMappings(ConstraintMapping[]) or setConstraintMappings(List, Set).

Parameters:

roles - The known roles (or null to determine them from the mappings)

addConstraintMapping

public void addConstraintMapping(ConstraintMapping mapping)

Description copied from interface: ConstraintAware

Add a Constraint Mapping. May be called for running webapplication as an annotated servlet is instantiated.

Specified by:

addConstraintMapping in interface ConstraintAware

Parameters:

mapping - the mapping

addKnownRole

public void addKnownRole(String role)

Description copied from interface: ConstraintAware

Add a Role definition. May be called on running webapplication as an annotated servlet is instantiated.

Specified by:

addKnownRole in interface ConstraintAware

Parameters:

role - the role

doStart

protected void doStart()
                throws Exception

Overrides:

doStart in class org.eclipse.jetty.security.SecurityHandler

Throws:

Exception

doStop

protected void doStop()
               throws Exception

Overrides:

doStop in class org.eclipse.jetty.security.SecurityHandler

Throws:

Exception

combineServletConstraints

protected org.eclipse.jetty.security.Constraint combineServletConstraints(org.eclipse.jetty.security.Constraint constraintA,
 org.eclipse.jetty.security.Constraint constraintB)

Combine constrains as per the servlet specification. This is NOT equivalent to Constraint.combine(Constraint, Constraint), which implements a more secure combination.

Parameters:

constraintA - A constraint

constraintB - B constraint

Returns:

The combination as per the servlet specification.

processConstraintMapping

protected void processConstraintMapping(ConstraintMapping mapping)

Create and combine the constraint with the existing processed constraints.

Parameters:

mapping - the constraint mapping

processConstraintMappingWithMethodOmissions

protected void processConstraintMappingWithMethodOmissions(ConstraintMapping mapping,
 Map<String,org.eclipse.jetty.security.Constraint> mappings)

Constraints that name method omissions are dealt with differently. We create an entry in the mappings with key "<method>.omission". This entry is only ever combined with other omissions for the same method to produce a consolidated Constraint. Then, when we wish to find the relevant constraints for a given Request (in prepareConstraintInfo()), we consult 3 types of entries in the mappings: an entry that names the method of the Request specifically, an entry that names constraints that apply to all methods, entries of the form <method>.omission, where the method of the Request is not named in the omission.

Parameters:

mapping - the constraint mapping

mappings - the mappings of roles

dump

public void dump(Appendable out,
 String indent)
          throws IOException

Specified by:

dump in interface org.eclipse.jetty.util.component.Dumpable

Overrides:

dump in class org.eclipse.jetty.util.component.ContainerLifeCycle

Throws:

IOException

setDenyUncoveredHttpMethods

public void setDenyUncoveredHttpMethods(boolean deny)

Description copied from interface: ConstraintAware

See Servlet Spec 31, sec 13.8.4, pg 145 When true, requests with http methods not explicitly covered either by inclusion or omissions in constraints, will have access denied.

Specified by:

setDenyUncoveredHttpMethods in interface ConstraintAware

Parameters:

deny - true for denied method access

isDenyUncoveredHttpMethods

public boolean isDenyUncoveredHttpMethods()

Specified by:

isDenyUncoveredHttpMethods in interface ConstraintAware

checkPathsWithUncoveredHttpMethods

public boolean checkPathsWithUncoveredHttpMethods()

Servlet spec 3.1 pg. 147.

Specified by:

checkPathsWithUncoveredHttpMethods in interface ConstraintAware

Returns:

true if urls with uncovered http methods

getPathsWithUncoveredHttpMethods

public Set<String> getPathsWithUncoveredHttpMethods()

Servlet spec 3.1 pg. 147. The container must check all the combined security constraint information and log any methods that are not protected and the urls at which they are not protected

Returns:

Set of paths for which there are uncovered methods

omissionsExist

protected boolean omissionsExist(Map<String,org.eclipse.jetty.security.Constraint> methodMappings)

Check if any http method omissions exist in the list of method to auth info mappings.

Parameters:

methodMappings - the method mappings

Returns:

true if omission exist

getOmittedMethods

protected Set<String> getOmittedMethods(String omission)

Given a string of the form <method>.<method>.omission split out the individual method names.

Parameters:

omission - the method

Returns:

the set of strings